JWT Decoder
Decode JWT tokens instantly. Runs entirely in your browser — tokens are never sent to any server.
JWT Token
How JWT tokens work
A JWT has three Base64-encoded parts separated by dots: Header (algorithm) · Payload (claims) · Signature (verification). Paste any JWT above to inspect it.
eyJhbGci….eyJzdWIi….SflKxwRJ…
What is a JWT Token?
A JSON Web Token (JWT) is a compact, URL-safe token used to represent claims between two parties. When you log into a web app, the server sends back a JWT that your browser sends with every future request to prove your identity.
JWT Structure
A JWT has three Base64Url-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJSYXZpIiwiaWF0IjoxNzAwMDAwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
■ Header■ Payload■ Signature
Standard JWT Claims
| Claim | Name | Description |
|---|---|---|
| sub | Subject | Identifies the user — usually the user ID |
| iss | Issuer | The server or service that issued the token |
| aud | Audience | The recipients the token is intended for |
| exp | Expiration | Unix timestamp after which the token is invalid |
| iat | Issued At | Unix timestamp when the token was created |
| nbf | Not Before | Token is not valid before this Unix timestamp |
| jti | JWT ID | Unique identifier to prevent replay attacks |
| alg | Algorithm | Signing algorithm used — HS256, RS256, etc. |
Decode vs Verify
✓ Decoding (what JSONKit does)
- • Reads header and payload by reversing Base64Url encoding
- • No secret key needed
- • Anyone with the token can do this
- • Safe to do in the browser
⚠ Verifying (server only)
- • Checks signature using the secret key
- • Proves token was not tampered with
- • Must only happen on the server
- • Never do this in the browser
Check Token Expiry in Code
js
// Decode and check expiry in JavaScript
const parts = token.split(".");
const payload = JSON.parse(atob(parts[1]));
const now = Math.floor(Date.now() / 1000);
if (payload.exp && payload.exp < now) {
console.log("Token expired at:", new Date(payload.exp * 1000));
} else {
console.log("Token is valid");
}JWT Security Best Practices
- ▸Never put secrets in the payload — The payload is only encoded, not encrypted — anyone with the token can read it
- ▸Always verify on the server — Client-side signature verification is not meaningful security
- ▸Use short expiry times — Access tokens should expire in 15 minutes to 1 hour — use refresh tokens for longer
- ▸Always use HTTPS — JWTs transmitted over plain HTTP can be intercepted and reused
- ▸Never log tokens — Tokens in log files are a security risk if logs are not properly secured